Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-10495

Tolerate absence of AD-SIGNEDPATH [rhel-8.10]

XMLWordPrintable

    • krb5-1.18.2-26.el8_9
    • None
    • None
    • ZStream
    • 7
    • rhel-sst-idm-ipa
    • 13
    • 14
    • 5
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2, 2023-Q4-Bravo-S3, 2023-Q4-Bravo-S4, 2023-Q4-Bravo-S5, 2023-Q4-Bravo-S6
    • Approved Blocker
    • Bug Fix
    • Hide
      .Kerberos Key Distribution Centers version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier

      Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the `AD-SIGNTICKET` attribute.

      With this update, earlier versions of KDC now accept evidence tickets generated by KDCs running Kerberos 1.20 and newer, as they no longer require `AD-SIGNTICKET` when a Privileged Attribute Certificate (PAC) is present.
      Show
      .Kerberos Key Distribution Centers version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the `AD-SIGNTICKET` attribute. With this update, earlier versions of KDC now accept evidence tickets generated by KDCs running Kerberos 1.20 and newer, as they no longer require `AD-SIGNTICKET` when a Privileged Attribute Certificate (PAC) is present.
    • Done
    • None

      Cloned from https://pagure.io/freeipa/issue/9448

      ***
      Upstream mailing list discussion thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/FLZYF6YKRRU5DIJ6RCYLJKI6Y2MGRE4B/

      If evidence ticket is issued by IPA KDC running krb5 1.20+, IPA KDC running krb5 1.18.2 or earlier will fail the request with a KRB5KDC_ERR_BADOPTION error ("KDC can't fulfill requested option"):

       

      Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): TGS_REQ : handle_authdata (-1765328371) Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.88.5: HANDLE_AUTHDATA: authtime 1694078668, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM for ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, KDC can't fulfill requested option Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): ... CONSTRAINED-DELEGATION s4u-client=host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): closing down fd 12

       

              rjeffman@redhat.com Rafael Jeffman
              ftrivino@redhat.com Francisco Trivino Garcia
              Julien Rische Julien Rische
              Michal Polovka Michal Polovka
              Dominika Borges Dominika Borges
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: